I just logged into some alt accounts and Yahoo forced me to update the password after login.

Also, if you had set up security questions/answers, disable them in your account settings. That information was unencrypted and is therefore compromised. Hope you didn’t use those same questions/answers for other sites.

Good luck with that since every site uses the same set of easily found or socially engineered information as security questions! Sorry. I hate hate hate security questions and can’t wait for them to die in a glorious fire. The good news is that since this was 2 years ago the data has probably already circulated.

I read about this here and immediately changed my password, set up 2 factor authentication and turned off the security questions. I got the email from Yahoo about this just this morning. Great work Yahoo.

Yeah, I was wondering why every time I logged in, Yahoo would suddenly and repeatedly prompt me to replace my password… After ignoring it for a few days I changed the password and suspected they’d been hacked but hadn’t come out and said as much (this was before it became public knowledge). That the whole thing happened two years ago, is an absolute joke! Seriously, they can’t just sit on that info for THAT long and not say a peep!

Shows you how much you can trust them. I’m curious about the fact that they asked me to straight up remove my security questions, not change them. They also have an obnoxious prompt to restrict access to “secure” apps, without showing in any way what apps will get denied, even after the fact.

So what’s the legality of them sitting on this info for the best part of two years? Don’t they have some legal obligations to report this kind of breach in a within a reasonable period?

Well, they’re not alone. NSA lost the tools leaked by “The Shadow Broker” 3 years ago, and didn’t say anything until they were “officially” out in the wild. Meanwhile Cisco and other vendors had vulnerable products with no knowledge about it for years.

I like how, when I logged into Yahoo! To! Change! My! Password! they! Immediately! Asked! if! I! Wanted! To! Add! My! Phone! Number! (Presumably, so they could leak that as well…)